A novel enterprise security solution allows for precise interception and surgical response to attack progression, in real time, as it occurs across a distributed infrastructure. The solution includes a data monitoring and management framework that continually models system level host and network activities as mutually exclusive infrastructure wide execution sequences and bucketizes them into unique execution trails. A multimodal intelligent security middleware detects indicators of compromise in real-time on top of subsets of each unique execution trail using rule based behavioral analytics, machine learning based anomaly detection, and other sources. Each detection result dynamically contributes to aggregated risk scores at execution trail level granularities. These scores can be used to prioritize and identify highest risk attack trails to end users, along with steps that such end users can perform to mitigate further damage and progression of an attack.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method for identifying relationships among infrastructure security-related events, the method comprising: monitoring, by a plurality of software agents deployed on respective operating systems in an infrastructure, system level activities associated with the respective operating systems; and constructing, based on the system level activities, an execution graph comprising one or more execution trails, wherein the constructing comprises: creating a first node in the execution graph representing a first entity monitored by one of the software agents, wherein the first entity comprises a first process; creating a second node in the execution graph representing a second entity monitored by one of the software agents, wherein the second entity comprises a second process; identifying, based on the monitored system level activities, a relationship between the first entity and the second entity, wherein identifying the relationship between the first entity and the second entity comprises: identifying, by one of the software agents, a first system call to initiate a connection by the first process; identifying, by one of the software agents, a second system call to accept a connection by the second process; and matching, based on the first system call and the second system call, the connection initiated by the first process and the connection accepted by the second process; and recording the relationship as an edge between the first node and the second node in the execution graph.
2. The method of claim 1 , wherein the execution graph comprises a plurality of nodes and a plurality of edges connecting the nodes, wherein each node represents an entity comprising a process or an artifact, and wherein each edge represents an event associated with an entity.
3. The method of claim 2 , wherein a plurality of edges in the execution graph are atomic such that there is a one-to-one mapping between each such edge and a system call identified in the system level activities.
4. The method of claim 2 , wherein a plurality of edges in the execution graph are implied in that each such edge is created following the observation of a predefined set of events.
5. The method of claim 1 , wherein the system level activities comprise (i) systems calls to initiate connections and (ii) system calls to accept connections.
6. The method of claim 1 , wherein the connection comprises a network connection between the first process executing on a first one of the operating systems and the second process executing on a second one of the operating systems.
7. The method of claim 1 , wherein the connection comprises a local connection between the first process and the second process each executing on a same operating system.
8. The method of claim 1 , wherein identifying the relationship between the first entity and the second entity comprises determining that a parent process has handed off, to a child process, a connection accepted by the parent process.
9. The method of claim 1 , wherein identifying the relationship between the first entity and the second entity comprises determining that one thread has taken over a connection accepted by a different thread.
10. A system for identifying relationships among infrastructure security-related events, the system comprising: a processor; and a memory storing computer-executable instructions that, when executed by the processor, program the processor to perform the operations of: monitoring, by a plurality of software agents deployed on respective operating systems in an infrastructure, system level activities associated with the respective operating systems; and constructing, based on the system level activities, an execution graph comprising one or more execution trails, wherein the constructing comprises: creating a first node in the execution graph representing a first entity monitored by one of the software agents, wherein the first entity comprises a first process; creating a second node in the execution graph representing a second entity monitored by one of the software agents, wherein the second entity comprises a second process; identifying, based on the monitored system level activities, a relationship between the first entity and the second entity, wherein identifying the relationship between the first entity and the second entity comprises: identifying, by one of the software agents, a first system call to initiate a connection by the first process; identifying, by one of the software agents, a second system call to accept a connection by the second process; and matching, based on the first system call and the second system call, the connection initiated by the first process and the connection accepted by the second process; and recording the relationship as an edge between the first node and the second node in the execution graph.
11. The system of claim 10 , wherein the execution graph comprises a plurality of nodes and a plurality of edges connecting the nodes, wherein each node represents an entity comprising a process or an artifact, and wherein each edge represents an event associated with an entity.
12. The system of claim 11 , wherein a plurality of edges in the execution graph are atomic such that there is a one-to-one mapping between each such edge and a system call identified in the system level activities.
13. The system of claim 11 , wherein a plurality of edges in the execution graph are implied in that each such edge is created following the observation of a predefined set of events.
14. The system of claim 10 , wherein the system level activities comprise (i) systems calls to initiate connections and (ii) system calls to accept connections.
15. The system of claim 10 , wherein the connection comprises a network connection between the first process executing on a first one of the operating systems and the second process executing on a second one of the operating systems.
16. The system of claim 10 , wherein the connection comprises a local connection between the first process and the second process each executing on a same operating system.
17. The system of claim 10 , wherein identifying the relationship between the first entity and the second entity comprises determining that a parent process has handed off, to a child process, a connection accepted by the parent process.
18. The system of claim 10 , wherein identifying the relationship between the first entity and the second entity comprises determining that one thread has taken over a connection accepted by a different thread.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 25, 2019
April 21, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.